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Abstract. We construct Weil numbers corresponding to genus-2 curves with 
p-rank 1 over the finite field Fp2 of elements. The corresponding curves 
can be constructed using explicit CM constructions. In one of our algorithms, 
the group of Fp2-valued points of the Jacobian has prime order, while another 
allows for a prescribed embedding degree with respect to a subgroup of pre- 
scribed order. The curves are defined over Fp2 out of necessity: we show that 
curves of p-rank 1 over Fp for large p cannot be efliciently constructed using 
explicit CM constructions. 



1. Introduction 

The p-rank of an abelian variety A over a field k of cliaracteristic p is the integer 
r = r{A) such that the group A[p](/c) of p-torsion points over an algebraic closure k 
of k has order p*". It satisfies < r < g, where g is the dimension of A, and we call 
A ordinary if r is equal to g. If A is supersingular, that is, if A becomes isogenous 
over k to SL product of supersingular elliptic curves, then we have r = 0, and the 
converse holds for abelian surfaces: if r = and g — 2, then A is supersingular. 

This shows that for an abelian surface A, besides the ordinary and supersingular 
cases, there is only one intermediate case: the case where A has p-rank 1. Most CM 
constructions of curves of genus two [3T1 [371 SI IS] generate curves that are ordinary 
with probability tending to 1, while another |18| constructs only supersingular 
curves. We focus on the intermediate case, for which no constructions existed yet. 

The p-rank r(A) depends only on the isogeny class of A over k, and any simple 
abelian surface A of p-rank 1 over a finite field k is isogenous to the Jacobian of a 
curve over k of genus 2 (see Section [2]) . By the p-rank of a curve C, we mean the 
p-rank of its Jacobian Jc- 

Let k be the finite field of order q — p". The Frobenius endomorphism tt of a 
simple abelian variety over fc is a Weil q-number, i.e., an algebraic integer tt such 
that \tt\^ ~ q holds for every embedding of the field K — Q{tt) into the complex 
numbers. A theorem of Honda and Tate [24] states that this defines a bijection 
between the set of isogeny classes of simple abelian varieties over k and the set of 
Weil g-numbers up to Galois conjugacy. 

We characterize those Weil numbers corresponding to abelian surfaces with p- 
rank 1 in Section [2l show their existence in Section [3] and give algorithms for finding 
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them in Section 21 In Section [3] we also explain why curves of p-rank 1 over Fp for 
large p cannot be efficiently constructed using explicit CM constructions. 

The construction of an abelian variety A corresponding to a given Weil g-number 
TT dates back to Shimura and Taniyama [20^ and Honda T^. It exhibits A as the 
reduction of a characteristic-0 abelian variety with complex multiplication ( CM) by 
Z[7r] and is also known as the CM m,ethod. We explain this explicit CM construction 
in Section [H For now, it suffices to say that the computational complexity of this 
construction grows very rapidly with the size of the field K — Q(7r). Therefore, our 
algorithms will look for Weil g- numbers tt only in fixed small input fields K . 

Let A be an abelian variety over the finite field k and suppose that A{k) has 
a subgroup of prime order r. The embedding degree of A with respect to r is the 
degree of the field extension k{C,r)/k, where C,r is a primitive r-th root of unity. The 
Weil and Tate pairings on A with respect to r have their image in {Qr) C k{C,r)* i 
and in order to compute these pairings, one needs to work with fc(Cr). As the 
embedding degree is the order of q in (Z/rZ)*, it is close to r for most curves, 
while for pairing-based cryptography, one wants r to be large and the embedding 
degree to be small. Algorithm [3] in Section |4] provides curves with p-rank 1 and a 
prescribed small embedding degree. 

We used our algorithms to compute various examples, which we give in Section[51 
Each example was computed in a few seconds on a standard PC. 

2. Characterization of abelian surfaces of p-rank 1 

It follows from the definition that the p-rank r{A) of an abelian variety A does not 
change under extensions of the base field, and that it satisfies r{AxB) — r{A)+r{B) 
for any pair of abelian varieties A and B. It is also well-known that the p-rank is 
invariant under isogeny (see Lemma [2] below). In particular, the non-simple abelian 
surfaces of p-rank 1 are exactly those isogenous to the product of an ordinary and 
a supersingular elliptic curve. Both types of elliptic curves are well understood, 
so we focus on simple abelian surfaces. We use the word isogeny to mean isogeny 
defined over the base field fc, unless otherwise stated. We use the same convention 
for the definition of simple abelian variety. 

Our algorithms are based on a characterization of Weil numbers corresponding 
to simple abelian surfaces of p-rank 1, which we give in this section. A major part 
of this characterization can already be found in Goren 9, and Gonzalez [8, proof of 
Thm. 3.7], but we give a proof, as this result is the foundation of our construction. 

Let k be the finite field of g = p" elements and let tt be a Weil g-number. For 
every embedding of the field K — Q(7r) into C, complex conjugation on K is given 
by TT I— )■ q/iT. As this automorphism of K doesn't depend on the choice of the 
embedding, we denote it by a: x and call it complex conjugation. If we let Kq 
be the fixed field of complex conjugation, then ifp is totally real and K is either 
equal to or it is a CM-field, that is, a totally imaginary quadratic extension of 
a totally real number field. 

Lemma 1. A simple abelian variety A over the field k of q ~ p"' elements has 
dimension 2 and p-rank 1 if and only if the following three conditions hold for its 
Frobenius endomorphism tt: 

(1) the field K ~ Q(7r) is a CM-field of degree 4, 

(2) the prime p factors in K as pOx = PipTpi^ w'^'* ^ S {1, 2}, and 

(3) we have ttOk = PiPT'^^ ^'^^^ ^ (2)- 
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Note that condition (3) implies that en is even. 

We prove Lemma [1] using the following formula for the p-rank of an abelian 
variety. 

Lemma 2 ([8, Prop. 3.1]). Let A be a simple abelian variety over k and let K = 
Q(7r), where tt is the Frobenius endomorphism of A. There is an integer m such 
that 2 dim(A) = m deg K holds. Suppose that p factors in K as pOx = Yii PT '^'^'^ 
let fi be given by ^{Ok/Pi) — p^' . Then we have r{A) — 'Y^mcifi, where the sum 
is taken over those i for which tt ^ pi holds. 

Proof. The degree deg g and separable degree deg^ g of an isogeny g : A ^ B of 
abelian varieties are defined to be the degree and separable degree of the induced 
embedding of function fields g* : k{B) — >• k{A). We have #(ker(jr)(fc) = degg^, 
hence is the separable degree of the multiplication-by-p map on A. As the 

separable degree is multiplicative under composition, we find that the p-rank of A 
depends only on its isogeny class, hence we can assume that End^A contains the 
maximal order Ok by [IHl Prop. 7 in §7.1]. 

The existence of m follows from [24l Thm. 1(2)]. The theory in |20l §7] shows 
how to factor the multiplication-by-p map into multiplication- by-pi maps for prime 
ideals pi, and that the multiplication-by-p i map has degree p^'™. The Frobenius 
endomorphism tt is totally inseparable by [221 Thm. l(iii) in §2.8], hence so is 
multiplication-by-pi if pi contains tt. If pi is coprime to tt, then [501 Prop. 6 in §2.8] 
shows that it is separable, hence satisfies deg^pi = deg pi. □ 

Proof of Lemma [TJ If A has dimension 2 and p-rank 1, then Lemma [2] tells us 
m — I, hence K has degree 4 and exactly one prime pT|p with tt ^ pY, which is 
unramified and has residue degree 1. This implies pOx — pipTq, where q is prime 
in the fixed field Kq of complex conjugation. 

To prove that (2) and (3) hold, it now suffices to prove that q does not split 
in K/Kf). Suppose that it does, say q = qiql. Then by Thm. 1(1)], the fact 
m = 1 implies that ordt,i(7r) is either or equal to the degree n = degfc/Fp. We 
also have ordqj(7r) -I- ordq^(7r) = ordqj(7r7f) — n, hence one of qi and ql does not 
divide tt, i.e., contradicts uniqueness of pT. 

Conversely, if tt satisfies (1), (2), and (3), then Lemma [2] implies r{A) — m with 
2dim(A) = mdegK and [Ml Thm. 1(1)] implies to = 1. □ 

Corollary 3. A simple abelian surface A/k of p-rank 1 is absolutely simple, that 
is, simple over k, and is isogenous to the Jacobian of a curve C over k. 

Proof. Suppose that fc'/fc is an extension of degree d such that we have Ak' ~ 
Ex F. The Frobenius endomorphism of Ak' is tt'^ and the characteristic polynomial 
of its action on the £-adic Tate module of Aioi I p is the product of the (quadratic) 
characteristic polynomials of the action on the Tate modules of E and F. 

On the other hand, part (3) of Lemma [1] implies that Q(7r'^) is equal to K, which 
is a field of degree 4. This is a contradiction, hence A is absolutely simple. 

By [15J Theorem 4.3], any absolutely simple abelian surface over a finite field k 
is isogenous to the Jacobian of a curve. □ 

Remark 4. The conditions (1), (2), and (3) of Lemma|l]are equivalent to conditions 
(M) of Theorem 2.9 of Maisner and Nart [15], i.e., to the characteristic polynomial 
f = X'^ - aiX^ + (a2 -I- 2q)X'^ - qaiX + q'^ of tt satisfying 
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(1) / is irreducible, 

(2) ordp(ai) = 0, 

(3) ordp(a2) > n/2, 

(4) and that (02 + Aq)'^ — Aqa\ is not a square in the ring of p-adic integers Zp. 

Remark 5. For an elliptic curve E over a finite field k, the rank of the Z-algebra 
End-^(£') of /c-endomorphisms is either 2 or 4, and these cases correspond exactly 
to the cases r{E) — 1 and r{E) — 0. 

For abelian surfaces A, the p-rank r[A) cannot be computed from the Z-rank 
of the endomorphism algebra. In fact, for absolutely simple abelian surfaces A, 
the ring Endj:(A) (g) Q is always a CM-field of degree 4, while both r{A) — 1 and 
r{A) — 2 occur (see also (HI Thm 3.7(ii)]). 

3. Existence of suitable Weil numbers 

Let p be a prime that factors in K as in (2) of Lemma [1] The fact that not 
all primes over p have the same ramification index or residue degree implies that 
the degree-4 extension K /Q, is not Galois. As K has a non-trivial automorphism, 
complex conjugation, the normal closure L oi K has Galois group D4. We therefore 
have to restrict to non-Galois quartic number fields K with Galois group D4. 

In the case e = 2, the prime p ramifies in K, hence divides its discriminant. 
Since explicit CM constructions are feasible only for small fields K, i.e., fields K 
of small discriminant, this means that we can construct the curve C corresponding 
to TT only for very small values of p. For such small values of p, not only are the 
curves less interesting, especially from a cryptographic point of view, it also becomes 
possible to construct them using a more direct approach such as by enumerating 
all curves C of genus 2 over Fp and computing the group orders of their Jacobians. 
Therefore, we will focus on the case e = 1. For e = 1, condition (3) of Lemma 
[1] implies 2|n, so that curves are defined only over fields containing Fp2. This is 
the reason why we construct our curves over Fp2 and not over Fp, and this is why 
curves of p-rank 1 over Fp for large p cannot be efficiently constructed using explicit 
CM constructions. 

We have found that all fields with p-rank-1 Weil p^-numbers are quartic non- 
Galois CM-fields. However, not all quartic non-Galois CM-fields have p-rank-1 Weil 
p^-numbers, and we give a complete characterization in Section [6l 

For now, we give two lemmas that put a condition on the CM-fields K that is 
slightly too strong, but is easy to check and is satisfied by 'most' non-Galois quartic 
CM-fields. 

Lemma 6. Let K be a quartic CM-field and let p be a prime that factors in K as 
pOk = pipTp2- Suppose that pi = uOk is principal. Then tt = aa^^p is a Weil 
p^-number that satisfies the conditions of Lemma\^ 

Proof. The number tt satisfies tttt = p^ , hence is a Weil p^-number. Conditions 
(1) and (2) of Lemma [1] are satisfied by assumption. Moreover, we have p2 = 
p(pipi)^i = p{aa)~^OK, so that we have ttOa' = P1P2, i-e., condition (3) is also 
satisfied. □ 

The condition on p of Lemma [6] is stronger than the condition that there ex- 
ists a Weil p^-number in K with e — 1. The following lemma gives a necessary 
and sufficient criterion on K for the existence of primes p satisfying this stronger 
condition. 
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For a non-Galois quartic CM-field K, let L be its normal closure over Q and 
let d be the discriminant of the real quadratic subficld Kq of K. Then we have 
K = Ko{y/r) for a totally negative element r e Kq, and s = Nxa/ciif) e Q is not 
a square, because K is non-Galois. Let (F be the discriminant of the real quadratic 
field Kq = Q(-ys). Note that this field is independent of the choice of r. Indeed, 
the element r is well-defined up to squares in K^, hence s is well-defined up to 
squares in Q*. 

A prime discriminant is a number that is —4 or ±8 or is ±p = 1 (mod 4) for 
an odd prime p. The discriminant of a quadratic field can be written uniquely as a 
product of distinct prime discriminants in which at most one even factor occurs. 

Lemma 7. Let K he a non- Galois quartic CM-field. The following are equivalent 

(1) there exists a prime p that factors in K as pOn = PipTp2 with pi principal; 

(2) the Dirichlet density of the set of primes p as in (1) is (AhK)~^ , where Hk 
is the class number of K ; 

(3) there is a prime that ramifies in L/K; 

(4) not all prime discriminants in the discriminant factorization of occur in 
that of d. 

Proof. The implication (2) (1) is trivial. Now suppose that (1) holds, so the 
decomposition group of pi in Gal(L/Q) is Ga\.{L/K) and the ideal class of pi 
is trivial. By the Artin isomorphism CIa' — >■ G&\{H/K), this implies that the 
decomposition group of pi in Gsi\{H / K) is trivial for the Hilbert class field H of K. 
As the decomposition group of pi in Ga\{L/K) is non-trivial, this implies that L 
is not contained in the maximal unramified abelian extension H of K, so L/K 
ramifies at some prime and (3) holds. 

For the proof of (3) (2), we use again that the primes p as in (1) are those for 
which there exists a prime in L over p with decomposition group G&\{L / L'C) in i/Q 
and trivial decomposition group Ll/K. Let M D be Galois over Q. Since (3) 
implies in = K, we find Gdl{HL/K) = Gal{H/K) x Gal(L/i^) and hence that 
exactly 1 in every SHk elements a e Gal(Af/Q) satisfies (iT|i) = Ga\{L/K) and 
a^H = 1- The conjugation class of Ga\{L/K) in Gal(L/Q) has two elements, hence 
the set of all a yielding the appropriate factorization is twice as large, i.e., consists 
of 1 in every AHk elements of Gal(Af/Q). By Chebotarev's density theorem [ITl 
Theorem 13.4], this implies that the density of primes with this factorization is 
{AhK)~^, which proves (2). 

Now, it remains to prove (3) <^ (4). Let Lq be the compositum of Kq and Kq 
in L. A prime q S Z ramifies in L/K if and only if its inertia group in Gal(i/Q) 
contains Gal{L/K) or its conjugate. This is equivalent to q ramifying in Lq/Kq, 
that is, to the prime discriminant in d^ corresponding to q not occurring in the 
prime discriminant factorization of d. □ 

Example 8. The field K = Cl[X]/{X^ + 12X^ + 2) does not satisfy the conditions 
of Lemma [71 because it has d = 8 • 17 and d'^ = 8. 

For 'most' non-Galois quartic CM-fields K, the discriminant d'^ does not divide d, 
in which case the conditions of Lemma [7] hold. This means that if wc try to find 
our Weil numbers by taking random primes p and checking if there exists a Weil 
p^-mimber tt € -ftT as in Lemma [TJ then we have a probability {AhK)~^ of success. 
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4. The algorithms 
The discussion in Section |3] leads to the foUowing algorithm. 



Algorithm 1. 

Input: A non-Galois CM-field K of degree 4 and a positive integer £. 

Output: A prime poii bits and a Weil p^-number tt corresponding to the Jacobian 

Jc of a curve of genus 2 over Fp2 such that #Jc(Fp2) is prime. 



(1) 


Take a random positive integer p of £ bits. 




(2) 


If p is prime, continue. Otherwise, go to Step [TJ 




(3) 


If pOx factors as pipip2, continue. Otherwise, go to Step[T] 




(4) 


If pfp2 is principal, let ttq be a generator and let v = ttottqp 






Otherwise, go to Step[T] 




(5) 


If we have v = Nxf^oi''^) ^oi some w G O^, then put tt = 


ttq. Other- 




wise, go to Step[T] 




(6) 


If N{ut: — 1) is prime for some u e {±1}, then replace tt by uir. 


Otherwise, 




go to Step [T] 




(7) 


return p, tt. 





Note that the group order A(7r — 1) of Jc has about M bits since we have 
iV(7r- 1) w iV(7r) =p4. 

Theorem 9. If Algorithm]^ terminates, then the output is correct. 

Fix the input field K and assume that it satisfies the conditions of Lemma // 
K has no prime ideal of norm 2, and no prime above 2 is ramified in K/Kq, then 
the heuristic expected runtime of the algorithm is polynomial in £. 

Proof. The output tt is a Weil p^-number satisfying the conditions of Lemma [TJ 
and the corresponding abelian surface A has #A(Fp2) = A^(7r — 1) rational points, 
which proves that the output is correct. 

All numbers encountered have logarithmic absolute values and heights that are 
bounded linearly in i, while the field K is fixed. This shows that, using the al- 
gorithms of [5], all steps, including the primality and principality tests, as well as 
finding a generator of pfp2 and trying to extract a square root of v, take time 
polynomial in £. It therefore suffices to prove that the heuristic expected number 
of iterations of Step [T] is quadratic in £. 

The number p has a heuristic probability l/(£log2) to be prime by the Prime 
Number Theorem. This shows that for each time Step 3 is reached, one expects to 
run Step 1 about flog 2 times. 

We will 'prove' that the heuristic bound holds even if we restrict in Step 3 to pi 
principal and generated by a. By Lemma [71 the density of the set of primes p that 
factor in the appropriate way and for which a exists is (4/ix)~^, so we arrive at 
Step 4 (with pi = (a)) with probability (AHk)^^. 

Note that tt = —aa~^p is a generator of Pip2, so we pass Step 4 with ttq — wn 
for some unit w G O^. 

Note that we have = tttF, hence v = ww, proving that we pass Step 5 as well. 

We now only need to show that N{tt— 1) is prime with sufficiently high probabil- 
ity. Treating a as a random element of O = Ok , we wish to know the probability 
that X = Nijr — 1) is prime, i.e., not divisible by any prime q < X. For each such 
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q, we consider the homoniorphisni 

which sends (a mod q) to (— tt mod q). Now we have g|iV(7r— 1) if and only if tt = 1 
(mod q) for some prime q\q of K. Let ipq be the composition of tp with the natural 
map {O/qOy — > (O/q)*. Note that we have tt = 1 (mod q) if and only if a is an 
element of (^^^( — 1). If we define 

#{OlqOY ' 

then the heuristic probability oi q \ N{'k — 1) equals Pq. As the homomorphism 
sends 1 to 1, we find Pq> Q for all g > 2. 

For (7 = 2, note that we have N{x) — 1. Then for all q | g with q = q, take 
{x mod q) G (O/q)* with x ^x, which is possible, because 2 is unramified in K/Kq. 
For q I q with q 7^ q, take exactly one of {x mod q) and {x mod q) equal to 1, which 
is possible because q has norm > 4. Then xx^^ ^ 1 = — 1 (mod q) for all q | g, 
which proves P2 > 0. 

We use the lower bound Pq> Q for q < 17. 

For q > 19, note that we have 

#ker^q >1 V ^ 
^#{OlqOY- ^#im^, 

and that inn^Sq D <y9q(r*) — (F*)'' has order > ((7 — l)/4, hence we have 

q-1 q 

We thus find heuristically that N{tt — 1) is prime with probability at least a 
positive constant times 

19<g<X ^ ^ ^ 

prime 

We find log(y) > — X^g^j ^'^d the right hand side, by Mertens' theorem [lOj 
Thm. 427 in 22.7], is 17 log log X plus something that converges to a constant if 
X tends to infinity. In particular, we find that 1/Y is at most polynomial in 
logX « A£, which is what we needed to prove. □ 

Remark 10. For more detailed heuristics on prime order Jacobians of curves of 
genus 2 than what is in the proof of Theorem [9l see [26l §5.2.2]. 

Remark 11. The conditions of Lemma[7]are sufficient in Theorem[9]and, as we said 
before, they hold for 'most' non-Galois quartic CM-fields. They are however not 
necessary, and we give strictly weaker conditions in Section [S] 

The following lemma shows that the conditions on the decomposition of 2 in ii" 
are necessary in Theorem [9l and that these conditions are not specific to p-rank 1, 
or even to abelian surfaces. These conditions vanish however if one allows the group 
order to be 'almost prime' in the sense that it is a prime times a 'small' (say < 16) 
positive integer. 
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Lemma 12. Let tt be the Frobenius endomorphism of an abelian variety A over 
a finite field k of odd characteristic, and let K — Q(7r). // one of the following 
conditions holds, then the order of A{k) is even. 

(1) K has a prime ideal q of norm 2, 

(2) K is totally real, or 

(3) K is a CM- field with totally real subfield Kq and K has a prime ideal q|2 
that is ramified in K/Kq. 

Proof. If q has norm 2, then we have tt ^ (mod q), hence tt — 1 = (mod q), 
which imphes 2|A^(7r — 1). 

In the other two cases, complex conjugation is trivial on the group (O/q)* of 
odd order. Note that tttt e Q implies that vr^ = tttt is trivial in that group, hence 
so is TT. We see again that tt — 1 = (mod q) implies 2|iV(7r — 1). □ 

Our second algorithm is a modification of Algorithm [T] in which we start with an 
element a € Ok, instead of with a prime p, and check Hp — N(a) is a prime that 
decomposes in the appropriate manner. We use Algorithm [5] as a stepping stone 
towards Algorithm [3l which allows one to prescribe the embedding degree of the 
output by imposing congruence conditions on a. 



Algorithm 2. 

Input: A non-Galois CM-field K of degree 4 and a positive integer £. 
Output: A prime p of ^ bits and a Weil p^-number corresponding to the Jacobian 
Jc of a curve C of genus 2 over Fp2 such that Jc has p-rank 1 and a prime number 
of F„2 -rational points. 



(1) Take a random element a of Ok of which the norm N{a) has £ bits. 

(2) If p = A^(q!) is prime in Z, continue. Otherwise, go to Step[T] 

(3) If the prime /3 = pa~^a~^ of Okq remains prime in Ok, then let tt — 0^/3. 
Otherwise, go to Step[T] 

(4) If N{uTT — 1) is prime for some u £ {±1}, then replace tt by utt. Otherwise, 
go to Step [H 

(5) return p, tt. 

Theorem 13. If Algorithm\^ terminates, then the output is correct. 

Fix the input field K and assume that it satisfies the conditions of Lemma^ If 
K has no prime ideal of norm 2, and no prime above 2 is ramified in K/Kq, then 
the heuristic expected runtime of the algorithm is polynomial in £. 

Proof. By Lemma [51 the output tt is a Weil p^-number satisfying the conditions 
of Lemma [Tl and the corresponding abelian surface A has ffA{Fp2) = N{tt — 1) 
rational points, which proves that the output is correct. 

Lemma [7] shows that among the elements a of Ok of prime norm, at least about 
1 in every AhK has the appropriate factorization, so if we treat N{a) and A^(7r — 1) 
as random integers as we did in the proof of Theorem [9l then we find again that 
the heuristic expected runtime is polynomial in i. □ 

Remark 14. Actually, the heuristic probability of passing from Step 3 to Step 4 in 
Algorithm [2] is 1/2 instead of only (4/iif)~^ as can be seen by applying Chebotarev's 
density theorem to the quadratic extension LH / H from the proof of Lemma [T] 

8 



Curves of genus 2 with p-rank 1, preprint of May 12, 2010 



Algorithm [3] constructs p-rank-1 curves with prescribed embedding degree by 
imposing congruence conditions on a in a way that is similar to what is done in 
the algorithm of Freeman, Stevenhagen, and Streng [5] . 



Algorithm 3. 

Input: A non-Galois CM-field K of degree 4, a positive integer k and a prime 
number r = 1 (mod 2k) that splits completely in K. 

Output: A prime p and a Weil p^-number tt corresponding to the Jacobian Jq 
of a curve C of genus 2 over Fp2 that has p-rank 1 and embedding degree k with 
respect to a subgroup of order r. 



(1) Let r be a prime of K dividing r, let s = rr ^ and compute a basis b 
of Ok- 

(2) Take a random element x of F* and a primitive 2K-th root of unity C G F*. 

(3) Take the 'small' a € Ok such that a mod x = x, a mod v = xC and a mod 
5 — x~^. Here 'small' means that the coordinates with respect to the basis 
b are < r/2, and x^^ is interpreted with respect to the natural inclusion of 
F; into Ok/s. 

(4) If p = NK/Q{a) is prime in Z, continue. Otherwise, go to Step [5] 

(5) If the prime f3 — pa~^a^^ of Okq remains prime in Ok, let tt — a^/S. 
Otherwise, go to Stepd] 

(6) return p, tt. 

Theorem 15. If Algorithm\^ terminates, then the output is correct. If the input 
field K is fixed and satisfies the conditions of Lemma^ then the heuristic expected 
runtime of the algorithm is polynomial in r. 

Proof. The facts that the output has p-rank 1 and a Jacobian of order N{tt — 1) 
are proven as in the proof of Theorem 1131 

If r divides the group order A^(7r — 1), then the embedding degree is the order 
of [p^ mod r) in the group F* (see also O Proposition 2.1]). So to prove that Jc 
has embedding degree k with respect to r, it suffices to prove that p^ mod r is a 
primitive K-tli root of unity in F* and that r divides A'^(7r — 1). 

Let be the non-trivial automorphism of Kq. Then we have (3 = (j){aa), hence 
TT mod t — {a mod r)^(0(aS) mod t). Inside F^, we have 

{(l){aoi) mod r) = [aa mod s) — (a mod s)(a mod s) 
= (a mod s)^ = x^^, 

hence we have (tt mod r) = 1, so r divides N{tt — 1). Moreover, 

[p^ mod r) = {p^ mod r) — {a mod r)^(a mod r)^(0(Q;a) mod t)^ 
— [a mod xfia mod xf'x~^ = 

is a primitive K-th root of unity. 

This finishes the proof of the correctness of the output. Next we prove the 
heuristic runtime. As r splits completely, a is a lift of some element modulo r. We 
treat its norm p = N{a) as a random integer of 41og2 r bits. The rest of the proof 
is as the proof of Theorem [T31 □ 
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Remark 16. Actually, the prime r does not need to split completely in Algorithm [31 
It suffices to have tOk — c^s, where r is prime and s may be prime or composite. 

Remark 17. Note that if Algorithm[2]or|3]terminates, then K satisfies the conditions 
of Lemma [71 which are therefore not only sufficient, but also necessary for each of 
these algorithms to terminate. 

Let Ahe e. g-dimensional abelian variety over the finite field k oiq elements. Its p- 
value with respect to a subgroup of A{k) of order r is defined tohe p = g log q/ log r. 
As we have log#v4(/c) « glogq, the p- value measures the ratio between the bit size 
of r and the bit size of the order of the full group of rational points on A. It is at 
least about 1 if g is large. If we have A = Jc, then a point on A can be represented 
by a g-tuple of points on C, hence p is also the ratio between the bit size of a group 
element of A and the bit size of r. For cryptography, one wants the p-value to be 
as small as possible to save bandwidth when transmitting points on Jc- 

The prime p, computed as the norm of the element a in Step [31 is expected to 
satisfy log(p) « 41og(r). Since our p-rank-1 curve is defined over Fp2, its p- value is 
p = 2 log(p^)/ log(r) « 16. For a more detailed version of this heuristic analysis of 
the p- value, see Freeman, Stevenhagen, and Streng [5], who compute a p- value of 
about 8 for their ordinary abelian surfaces with prescribed embedding degree. For 
cryptographic applications, a p-value of 16 or even 8 is larger than desired, but it 
does show that pairing-based cryptography is possible for curves of genus 2 with 
p-rank 1. 

When working with odd embedding degree k, the embedding field Fp{C,r) could be 
smaller than the field Fp2{(r) = Fp2K that is suggested by the embedding degree k 
(see also Hitt [H]). This may influence the security of pairing-based cryptography, 
but can easily be avoided by restricting to even embedding degree k, or by only 
accepting primes p such that r does not divide — 1. 

5. Constructing curves with given Weil numbers 

We will now explain the explicit CM construction of a curve C/Fp2 such that 
J(C) corresponds to our Weil p^-number tt. A more detailed exposition can be 
found in [6]. 

Honda's CM construction of the abelian variety corresponding to a given Weil 
g-number tt is based on the theory of complex multiplication of abelian varieties 
of Shimura and Taniyama |201 in particular §13, Thm. 1]. The analogous theory 
for elliptic curves is even more classical and dates back to the early 19th century. 
The first algorithmic application of the CM construction of elliptic curves is its 
application to primality proving by Atkin and Morain jlj. 

The construction starts by taking an abelian variety A over a number field F 
such that we have End(A) = Ok, where K is a field containing tt, and reduces this 
variety modulo an appropriate prime *P of F. For our p-rank-1 Weil numbers tt, 
one can take K = Q(7r) and any prime *P dividing p. 

In the dimension-2 case, instead of writing down the abelian surface A itself, 
one only writes down the absolute Igusa invariants ji , j2 ,j3 € F of the curve C of 
which A is the Jacobian. These invariants are the first three of a set of 10 invariants 
given on page 641 of |13) . One then reduces the invariants modulo ^ and, assuming 
(ji mod *P) is a unit, constructs C = {C mod *P) from the reduced invariants using 
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Mestre's algorithm [TB]. Honda's construction shows that J(C) or its quadratic 
twist corresponds to our Weil p^-number tt. 

In all practical implementations, the invariants j„ G F are represented by poly- 
nomials Hi, H2, H3 or Hi, H3 called Igusa class polynomials. We explain the 
polynomials iJ„ later, but the polynomials iJ„ are given by 

Hn^l[{X~,UC)), 

c 

where the product ranges over isomorphism classes of curves C such that we have 
End(J(C)) ^ Ok- For everjM.riple (ji, J2, J3) of zeroes j„ e Fp of 7?„ with ji ^ 0, 
one thus obtains a unique Fp-isomorphism class of curves. Assuming ji(C) ^ *P 
for some C, a twist of at least one of the curves we obtain has Weil number tt. Let 
C be such a curve. As we know the group order A^(7r — 1) of J{C){¥p2), we can 
quickly check whether we have the correct curve by taking random points on its 
Jacobian and multiplying them by iV(7r — 1). 

As the field K is fixed, so are its class polynomials. They can therefore be pre- 
computed using any of the three known algorithms: the complex analytic method 
of Spallek [21 and van Wamelen [3S], for which Streng [53] recently gave the first 
runtime analysis and proof of correctness, the 2-adic method of Gaudry, Hout- 
mann, Kohel, Ritzenthaler, and Weng |^, and the Chinese remainder method of 
Eisentrager and Lauter [3]. Alternatively, class polynomials can be found in the 
ECHIDNA database [M]. 

The alternative class polynomials _ff„ are given by 

Hn = ^ J„(C^) n - = 2, 3) 

C C"^C 

where both the product and the sum range over isomorphism classes of curves C 
for which End( J(C)) ^ Ok holds. For any such C, we have j„(C)i7( (ji(C)) = 
H„{ji{C)). This implies that if every coefficient of Hi has a denominator that 
is not divisible by p, and {Hi modp) has a non-zero root of multiplicity 1, then 
we can compute the Igusa invariants of a curve C, which is automatically either 
the curve we want or a quadratic twist. The idea of using Hn and not the more 
standard Lagrange interpolation is due to Gaudry, Houtmann, Kohel, Ritzenthaler, 
and Weng, who show in f7^ that iJ„ heuristically has a much smaller height. 

6. A SUFFICIENT AND NECESSARY CONDITION FOR ALGORITHM 1 

As said before, the condition of Lemma [7] are sufficient for all three algorithms 
to work and necessary for Algorithms 2 and 3. They are also easy to check and 
true for 'most' non-Galois quartic CM-fields. The current section gives a weaker 
condition that is both sufficient and necessary for Algorithm 1 to work. We also 
give examples to show that this condition is non-trivial and strictly weaker than 
that of Lemma [T) 

Let K he a. non-Galois CM- field of degree 4. Let C/K be a curve of genus 2 
over the algebraic closure K of K such that End(Jc) = Ok holds. Such C are 
known to exist. The field Q(j) C K generated over Q by all 10 absolute Igusa 
invariants ji(C), . . . , jio(C) of [13l page 641] is called the field of moduli of C. For 
any subfield X C K, let X{j) be the compositum X ■ Write K ~ /^o(\A') for 

some r £ Kq and let Kq = Q{^/N^^^J^(r)) (as before). 

11 
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K Q(j) 




Q 



Figure 1. Inclusions between the fields 

Lemma 18. Let K, Kq, K{j) be as above and let G be the Galois group of the 
normal closure of K(j) over Q. Let S be the set of primes p that factor in K as 
pOx — PipTp2 o,nd such that there exists a Weil p^ -number tt such that we have 
ttOk = P?p2- 

The Dirichlet density of S is 

#{g € G I ordg ^ 2,g|j^r T^id^g} 
#G 

If S is non-empty, then it has positive density. 

Corollary 19. If Algorithm 1 terminates on input K , then a as in Lemma \TE\ exists 
for K . Gonversely, if K is fixed and a exists for K , then Algorithm 1 heuristically 
has a polynomial runtime. 

Proof of Corollary I19[ If Algorithm 1 terminates, then S is non-empty, hence a 
exists by Lemma [T51 If a exists, then the proof of ThcorcmlHlis valid, so Algorithm 1 
heuristically has a polynomial runtime. □ 

To prove Lemma 1181 we need some more theory. Let L be the normal closure 
of K. A GM-type of is a set $ of two embeddings ip : K ^ L that satisfies 
$ n $ = 0. Let C be a curve as above, and let $ = {(^1,(^2} be its CM-type as 
defined in j2Ql §5.2]. The exact definition of this CM-type will not be important to 
us. 

The reflex field 

K' = Q{j:^p,{x):xeK)cL 

of K with respect to $ is one of the two non-Galois CM subfields of L of degree 4 
that are not conjugates of K. Its real quadratic subfield Kq does not depend on <I> 
and is exactly the field Kg that we have seen above Lemma[71 By fTW, Prop. 20.3(i)], 
we have C Q(j), so that we have the inclusions of fields shown in Figure [T] 
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The main theorem of complex multiphcation gives K'' {j) as an unramified abehan 
extension of K'' . To state it, we need to define the type norm of the reflex type 
of $. Let <1>L be the set of extensions of elements of $ to i, so $l is a CM-type of 
L and so is the set of inverses of elements of L. The set of restrictions of <^J^ 
to K' is a CM-type = {V'i,V'2} of cahed the re/Zea; of $ ^ §8.3]. By ^ 
§8.3 Prop. 29], for any fractional O^cr-ideal a, there is a unique fractional Oif -ideal 
A^$r(a) such that we have 

2 

The map Nq,r from ideals of K'' to ideals of K is called the type norm with respect 
to 

Theorem 20 (Main Theorem 1 in §15.3 of [20 ). The extension K''{j)/K'-' is abelian 
and unramified. Its Galois group corresponds via the Artin map to CIk'/Hoj where 
Hq is the group of ideal classes [a] such that iV$r(a) is principal and generated by 
an element fi Cz K with fiJI G Q* . □ 

The following lemma computes N^r(q) for certain primes q. 

Lemma 21. Let K be a quartic CM- field and p a prime that factors in K as 
pOa' =PipTPi- 

(1) The prime p factors in Kq as s"^ for a prime s, which splits in K'' as 
sOk^ ~ qq; and 

(2) we have N^i{q) = Px^'^Ps (up to complex conjugation). 

Proof. Let *P C Ol be the unique prime over pi. Part (1) follows from the fact 
that the decomposition group of *P is Gal{L/K) and that the inertia group has 
order e. 

For part (2), let s be the generator of Ga\{L/K), let s' be the generator of 
Gal{L/K'^) and set r = ss'. Then C Gal(L/Q) has 4 elements and satisfies 
$i(s) = $L and $^^(s') = ^2^, hence is {1, s, s', ss'} or its complex conjugate, 
and we have — {1, s\ki} up to complex conjugation. Take ipi — l,ip2 — s. We 
compute 

= ^2(^r'qj)r'q5)) =(p?/'=0l)(p20l), 

up to complex conjugation, which proves (2). □ 

Proof of Lemma 1181 Let p be a prime number that is unramified in K. We prove 
that p is in 5 if and only if its decomposition group in the normal closure of K{j) is 
of order 2 and acts non-trivially on Kq. Chebotarev's density theorem [T71 Theorem 
13.4] then proves the formula for the density. Moreover, if S is non-empty, then a 
exists, hence the density is positive. 

Let p be a prime number and let cr S G be its p-th power Frobenius. Suppose p 
is in S and write pOx = pipTp2- The image of a in Gal(i/Q) generates Ga\{L/K) 
or its conjugate, hence has order 2. It follows that p is inert in Kq/Q and splits 
into two factors q and q in K". Lemma [21] shows that the type norm of q is 
iV$r(q) = plp2 = ttOk or its complex conjugate, and we have tttt e Q*, so we find 
[q] e i/oi hence ti^ is trivial on K'^{j) and in particular on Q(j). 
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Recall that Q(j) is the field generated over Q by the absolute Igusa invariants 
of C and that C is any curve with CM by Ok- In particular, we can replace C by 
'^C for any automorphism r of K/Q. This shows that is also trivial on ^Q(j) 
for any r, and hence is trivial on the normal closure of Q(j). As it is also trivial 
on the normal closure L of K, we find that it is trivial on the normal closure of 
K{j) and hence a is in the set of Lemma [T8l 

Conversely, suppose that is trivial and a is non-trivial on Kq. As a\L generates 
Ga\{L/K) or a conjugate, we find that p factors as pOx — PipTp2- Again, the prime 
p is inert in Kq/Q and splits into two factors q and q in with type norms plp2 and 
its complex conjugate. As we have cr^ = 1, we find by Theorem [50] that plp2 = t^Ok 
holds for some tt G Ok that satisfies tttt G Q*. Since also ttW is positive and has 
absolute value p^, it is a Weil p^-number and p is in S. □ 

Example 22. For the field K = Q[X]/{X^ + 12X'^ + 2) of Example[8l we can find 
Q(.7) in the ECHIDNA database [13] and compute that Q(j) contains the field 
F = Q(\/2 + a/2), which is cyclic Galois over Q and contains A'q = Q(-\/2). Any 
automorphism of F of order 2 is trivial on ATq, so the density of S in Lemma 1181 
is and none of our algorithms works for this field. 

Example 23. For the field K = Q[A]/(A'* + 20X^ + 5), we have 13 G S, so that 
S has positive density and Algorithm 1 works for K. However, the discriminant 
(F = 5 o{ Kq = Q(V5) is a prime discriminant and occurs in the prime discriminant 
factorization d = (—4) • (5) • (—19) of Kq. This shows that K does not satisfy the 
conditions of Lemma [71 which are therefore too strong for Algorithm 1 . 

7. Factorization of class polynomials modulo p 

While experimenting with the explicit CM construction for curves of p-rank 1, 
we found that in the (ramified) case e = 2 of Lemma [U the polynomial Hi mod p 
has no roots of multiplicity 1 in Fp, which made working with Hn impossible. The 
current section explains this phenomenon, and shows how to adapt Hi, H2, to 
deal with this situation. We also explain the analogue of this for the situation e = 1, 
for which there is no problem. 

Let K, C, and j be as in Section [HI If ji(C) 7^ is a simple root of Hi, which 
is 'usually' the case, then we have Q(j) = Q(ji(C)) since we can compute jn{G) 
from ii{C) using the polynomials H2 and H^ as we have seen in Section [S] The 
Kummer-Dedekind theorem thus relates the factorization of {Hi mod p) e Fj, [X] 
to the factorization of p in (an order in) Q(j). 

Lemma 24. Let p he a prime that factors in K as pOk = PipTp2; o.'^d let n be the 
smallest positive integer such that en is even and (pip2^^)" generated by a Weil 
p^^ -number TT . Then any prime q of K'^ lying over p decomposes in K'^(j)/K'^ into 
distinct primes of residue degree en/2. 

Proof. Recall from Theorem that K^ {j) is the unramified abelian extension of 
K'^ such that the Artin map induces an isomorphism C\k/Hq — > Gal{K'^{j)/K'^), 
where Hq C Cl^ is the subgroup of ideal classes [o] such that A^^r (a) is principal 
and generated by an element p, G K with /i/I S Q*. 

The Artin isomorphism sends [q] to a generator of the decomposition group 
of q, so it suffices to prove that [q] has order en/2 in the quotient group GXk^/Hq. 
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Lemma [21] computes that iV$r(q™) is either (p^/^p2)'" or its complex conjugate, so 
the smallest integer m with [q™] e Hq is exactly m = en/2. □ 

Corollary 25. Let p,n he as in Lemma \ 24\ Then p splits into prime factors of 
residue degree n in Q(j)/Q. Each factor occurs exactly e times. 

Proof. Each prime factor p has residue degree en/2 in K''{j)/K'-' by Lemma [24] 
and 2/e in K'^ /Q by Lemma (211 hence n in K'^{j)/Q. As all ramification of p takes 
place in Kq/Q, we find that the ramification index of p in K''{j)/Q is e. 

We have seen in Figure [T] on page [T^] that Q(j) contains K^. As the residue 
degree and ramification index of p in K'^ /Kq are 1, we find that the residue degree 
and ramification index of p are also n and e in Q(j)/Q. □ 

Corollary 26. If p factors in K as pOk = PipTpl; i^en {Hi modp) e Fp[A'] has 
no roots of multiplicity 1 m Fp. 

Proof. The polynomial Hi E Q[X] is monic and the denominators of the coef- 
ficients are not divisible by p because they are Igusa invariants of a curve that 
has potential good reduction modulo p. Let c € Z not divisible by p be such 
that Hi{cX) is in Z[X] and let / S Z[X] be an arbitrary irreducible factor of 
Hi{cX) e Z[X]. We find an order O = Z[X]// in Q(j). Each irreducible factor 
g € Fp[Ar] of {Hi mod p) corresponds to the prime ideal p = {p,g{X)) of O. As 
every prime over p ramifies in Q(j)/Q by Corollary [25] we find that p is either 
ramified or singular. By the Kummer-Dedekind theorem (Theorem 8.2 of 22 ), 
both cases imply that the roots of g have multiplicity at least 2 as roots of iJi . □ 

This shows that Hi, Hi, H2 cannot be used for the case e = 2. To get around this, 
we replace Hi by an irreducible factor / S [^] ^'^'^ ^he unique polynomial 

Sn of degree at most deg(/) — 1 that is congruent modulo / to iJ„(iJi//)^^. If 
we write pOi^-r = s^, then (/ mod s), (^2 mod s), (5*3 mod s) G Fp[X] can be used 
in exactly the same way as {Hi mod p) , {H2 mod p) , {H^ mod p) and do not suffer 
from Corollary [25] 

Corollary 27. For all hut finitely many of the primes p that decompose as pOx — 
PipTpi' reduction {Hi mod p) € Fp[A'] is a product of distinct irreducihle poly- 
nomials in Fp[A"] of degree n for n given in Lemma \2^ (and depending on p). 

Proof. We exclude the primes dividing the denominator of any coefficient of iJi, 
as well as those dividing the discriminant. Then all roots of {Hi modp) in Fp are 
simple roots. Let /, O be as in the proof of Corollary [26] Then p does not divide 
the index of O in its maximal order. The fact that every prime of Q(j) has residue 
degree n implies that every irreducible factor of / mod p has degree n. □ 

8. Examples 

Algorithm 1. We provide examples of p-rank-1 curves C/Fp2 such that the Jaco- 
bian Jc is simple and has prime order. The CM- field for all examples \s K — Q(a), 
where a is a root of the polynomial X'^ + 34X^ + 217 G Q[Ar], which satisfies the 
conditions of Lemma [7] We give the prime p, the coefficients ai and 02 of the 
minimal polynomial 

/ = - aiX^ -f (02 -f- 2p^)X^ - aip^X + / 
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of the Frobenius cndomorphisni and the coefficients Ci € Fp2 of the curve equation 

C : = cqx^ + CiX^ + c^x^ + C2X^ + CiX + Cq. 

The group order of the Jacobian is 4j^Jc{Fp^) = N{n — 1) = /(!)• The field Fp2 
is given as Fp{a), where ct^ = —3. Section headings describe the number of bits of 
the group order #Jcr (Fp2). 

Each example was generated in a few seconds on a standard PC after pre- 
computation of the Igusa class polynomials of K. 

160-bit group size. 

P 
a2 

Ci 
C3 
C2 

Cl 

Co 

192-bit group size. 

P 

02 
C4 
C3 
C2 

Cl 
Co 

256-bit group size. 

p = 15511800964685067143, ai = 2183138494024250742 
a2 = -871403391229975003782565554464700664457, cq = 1 
C4 = 7019198877313644539 • a + 8886572032497699458 
C3 = 8069566800142565548 • a + 11092851174307405252 
C2 = 8339873208295381793 • cr + 13688811293938352344 
Cl = 10474983032301001361 • a + 14509908493781086362 
Co = 4803877905347330504 • a + 12900291622358663970 

Algorithm 3. 

192-bit group size, embedding degree 12. Let K be the field K = Q[X]/ {X'^-\-l3X'^-\- 
41) and let k — 12. It took a few seconds to find the smallest prime r > 2^^^ that 
splits completely in K and Q(Ci2), which is r = 2^^"^ + 18513. We ran Algorithm 3 
with input K, K,r. The algorithm terminated after about 11 minutes and found a 
prime p and a Weil number with p-rank 1 and embedding degree 12 with respect 
to a subgroup of order r. Using p and prccomputcd Igusa class polynomials, wc 
were able to find an equation for the corresponding hyperelliptic curve C in less 
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= 924575392409, ai = 3396725192754 

= 2876182159630959921399337, cq = a 

= 349419850452 • a + 621473390194 

= 638315825844 • a + 895470286740 

= 247903071476 • cr + 504258872407 

= 494346973570 • cr + 326558224146 

= 721392332677 • a + 210623692149 



= 236691298903769, ai = -9692493559086 

= -58992172275797931791883572663, cq = a 

= 144046547562595C7 + 31854049506043 

= 1346345428213160- + 20155601614364 

= 159093189820788(7+ 52669766944798 

= 223684436822489(7 + 66232364455191 

= 206430094481010(7+ 170879851904277 
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than a second. We only give p, because tt and the coefficients of C would take up 
too much space. 

p = 1420038565958074827476353870489770880715201360323415690146120568 
6404970976014364663695672498066437749119607973051961772352102985 
5649462172148699393958968638652107696147277436345811056227385195 
781997362304851932650270514293705125991379 



Acknowledgements. We thank Peter Bruin, David Kohel, Tanja Lange, Hen- 
drik Lenstra, Joe Silverman, and Peter Stevenhagen for helpful advice. 

References 

A. O. L. Atkin and F. Morain. Elliptic curves and primality proving. Mathematics of Com- 
putation, 61:29-68, 1993. http://www.inria.fr/rrrt/rr-1256.htnil 

H. Cohen. A Course in Computational Algebraic Number Theory, volume 138 of Graduate 
Texts in Mathematics. Springer- Verlag, 1993. 

K. Eisentraeger and K. Lauter. A CRT algorithm for constructing genus 2 curves over finite 
fields, 2004. To appear in Arithmetic, Geometry and Coding Theory - AGCT-10 (Marseille), 

2005. arXiv:math/0405305v2 

D. Freeman. Constructing pairing-friendly genus 2 curves over prime fields with ordinary 
Jacobians. In Pairing-Based Cryptography - Pairing 2007, volume 4575 of Lecture Notes in 
Computer Science, pages 152— 176. Springer- Verlag, Berlin, 2007. 

D. Freeman, P. Stevenhagen, and M. Streng. Abelian varieties with prescribed embedding 
degree. In A. J. van der Poorten and A. Stein, editors, ANTS, volume 5011 of Lecture Notes 
in Computer Science, pages 60-73. Springer- Verlag, 2008. arXiv:0802.1886vl 
G. Frey and T. Lange. Complex multiplication. In H. Cohen, G. Frey, R. Avanzi, C. Doche, 
T. Lange, K. Nguyen, and F. Vercauteren, editors. Handbook of elliptic and hyperelliptic 
curve cryptography, pages 455—473. Chapman & Hall/CRC, 2006. 

P. Gaudry, T. Houtmann, D. Kohel, C. Ritzenthaler, and A. Weng. The 2-adic CM method for 
genus 2 curves with application to cryptography. In Advances in Cryptology - ASIACRYPT 

2006, volume 4284 of Lecture Notes in Computer Science, pages 114—129. Springer- Verlag, 
BerUn, 2006. arXiv:math/0503148 

J. Gonzalez. On the p-rank of an abelian variety and its endomorphism algebra. Pub. Math., 
42(1):119-130, 1998. 

E. Z. Goren. On certain reduction problems concerning abelian surfaces. Manuscripta Math., 
94(l):33-43, 1997. 

G. H. Hardy and E. M. Wright. An Introduction to the Theory of Numbers. Oxford University 
Press, 1938. 

L. Hitt. On the minimal embedding field. In Pairing-Based Cryptography - Pairing 2007, 
volume 4575 of Lecture Notes in Computer Science, pages 294—301. Springer- Verlag, 2007. 
T. Honda. Isogeny classes of abelian varieties over finite fields. J. Math. Soc. Japan, 20:83-95, 
1968. 

J. -I. Igusa. Arithmetic variety of moduli for genus 2. The Annals of Mathematics, 72(3):612— 
649, 1960. 

D. Kohel. ECHIDNA databases for elliptic curves and higher dimensional analogues, 
'http : //echidna . maths . usyd . edu . au/echidna/dbs/index . html ' 

D. Maisner and E. Nart. Abelian surfaces over finite fields as Jacobians. Experiment. Math., 
ll(3):321-337, 2002. With an appendix by Everett W. Howe. 

J.-F. Mestre. Construction de courbes de genre 2 a partir de leurs modules. In Effective 
methods in algebraic geometry (Castiglioncello, 1990), volume 94 of Progr. Math., pages 
313-334. Birkhiiuser Boston, Boston, MA, 1991. 
J. Neukirch. Algebraische Zahlentheorie. Springer, 1992. 

K. Rubin and A. Silverberg. Supersingular abelian varieties in cryptology. In Proceedings of 
the 22nd Annual International Cryptology Conference on Advances in Cryptology, volume 
2442 of Lecture Notes In Computer Science, pages 336 - 353, 2002. 

17 



L. Hitt, G. McGuire, M. Naehrig, and M. Streng 



[19] G. Shimura. Abelian Varieties with Complex Multiplication and Modular Functions. Prince- 
ton University Press, 1998. Sections 1—16 essentially appeared before in G. Shimura and 
Y. Taniyama, Complex Multiplication of Abelian Varieties and Its Applications to Number 
Theory, Mathematical Society of Japan, 1961. 

[20] G. Shimura and Y. Taniyama. Complex multiplication of abelian varieties and its applica- 
tions to number theory, volume 6 of Publications of the Mathematical Society of Japan. The 
Mathematical Society of Japan, Tokyo, 1961. 

[21] A.-M. Spallek. Kurven vom Geschlecht 2 und ihre Anwendung in Public-Key- 
Kryptosystemen. PhD thesis, Institut fiir Experimentelle Mathematik, Universitat GH Essen, 
1994. 

[22] P. Stevenhagen. The arithmetic of number rings. In J. Buhler and P. Stevenhagen, editors. 

Surveys in Algorithmic Number Theory. Cambridge University Press, 2008. 
[23] M. Streng. Computing Igusa class polynomials. arXiv:0903.4766vl 2008. 
[24] J. Tate. Classes d'isogenie des varietes abeliennes sur un corps fini (d'apres T. Honda). Semin. 

Bourbaki 1968/69, No. 352, pages 95-110, 1971. 
[25] P. van Wamelen. Examples of genus two CM curves defined over the rationals. Mathematics 

of Computation, 68{225):307-320, 1999. 
[26] A. Weng. Konstruktion kryptographisch geeigneter Kurven mit komplexer Multiplika- 

tion. PhD thesis, Institut fiir Experimentelle Mathematik, Universitat GH Essen, 2001. 

http : //www. iem.uni-due . de/zahlentheorie/preprints/wengthesis .pdf 
[27] A. Weng. Constructing hyperelliptic curves of genus 2 suitable for cryptography. Math. 

Comp., 72(241) :435-458, 2003. 

Laura Hitt O'Connor and Gary McGuire, School of Mathematical Sciences, Univer- 
sity College Dublin, Ireland 

E-mail address: |hltt36Sgmall ■ com| , |gary ■ mcgTilr e@ucd .lei 

Michael Naehrig, Department of Mathematics and Computer Science, Eindhoven Uni- 
versity of Technology, Den Dolech 2, 5600 MB Eindhoven, the Netherlands, and Mi- 
crosoft Research, One Mirosoft Way, Redmond, WA 98052, USA 

E-ma il address: ^mi chaelScryp toj edi.org 

URL: |http : //www ■ c rypt o j edi . org/users/michael/ 1 

Marco Streng, Mathematisch Instituut, Universiteit Leiden, Postbus 9512, 2300 RA 
Leiden, the Netherlands 

E-mail address: strengOmath . lei denuniv . nl | 
URL: |http : //www .math . leidemmivTnl/- streng/| 



18 



